Mobile Systems Secure State Management

Abstract

Today's mobile devices are equipped with sophis-ticated chain-of-trust mechanisms, able to successfully mitigate tampering of critical software components. However, this tech-nology, on the one hand, hinders the permanence of malware, thus raising the complexity for developing rootkits. On the other hand, the freedom of the end-user is limited. In fact, with all the security features enabled, one could not run any privileged code without it being signed by the Original Equipment Manufacturer; modifying any component of the root partition would cause a device read error and small modifications could be even rolled back automatically. Original Equipment Manufacturers typically provide mechanisms to (partially) disable these security features. However, they usually require two conditions: every unlock request must be approved by them, e.g. for warranty implications; secondly, to preserve the device security level, each time a security feature is disabled, the user data must be completely erased. We analyze several bootloader related vulnerabilities which allow to bypass these two requirements by exploiting design and implementation flaws in smartphones from different vendors. We then propose a novel architecture for secure device status storage and management. Our proposal relies only on commodity hardware features, which can be found on most mobile platforms. Furthermore, differently from many commercial implementations, we do not consider the storage device firmware as trusted, this makes our attack surface smaller than all of the examined alternatives.